rpms/selinux-policy/F-9 policy-20071130.patch,1.210,1.211

Daniel J Walsh dwalsh at fedoraproject.org
Fri Sep 19 14:26:24 UTC 2008 

Author: dwalsh

Update of /cvs/extras/rpms/selinux-policy/F-9
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv16138

Modified Files:
	policy-20071130.patch 
Log Message:
* Tue Sep 18 2008 Dan Walsh <dwalsh at redhat.com> 3.3.1-92
- Dontaudit attempts to write user_tmp_t by gssd_t


policy-20071130.patch:

Index: policy-20071130.patch
===================================================================
RCS file: /cvs/extras/rpms/selinux-policy/F-9/policy-20071130.patch,v
retrieving revision 1.210
retrieving revision 1.211
diff -u -r1.210 -r1.211
--- policy-20071130.patch	19 Sep 2008 13:54:21 -0000	1.210
+++ policy-20071130.patch	19 Sep 2008 14:26:23 -0000	1.211
@@ -11163,7 +11163,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/apache.te serefpolicy-3.3.1/policy/modules/services/apache.te
 --- nsaserefpolicy/policy/modules/services/apache.te	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-09-19 09:53:01.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/apache.te	2008-09-19 10:06:13.000000000 -0400
 @@ -20,6 +20,8 @@
  # Declarations
  #
@@ -11609,18 +11609,15 @@
  
  files_read_etc_files(httpd_suexec_t)
  files_read_usr_files(httpd_suexec_t)
-@@ -626,8 +760,10 @@
- 	corenet_udp_sendrecv_all_ports(httpd_suexec_t)
- 	corenet_tcp_connect_all_ports(httpd_suexec_t)
+@@ -628,6 +762,7 @@
  	corenet_sendrecv_all_client_packets(httpd_suexec_t)
-+	sysnet_dns_name_resolve(httpd_suexec_t)
  ')
  
 +domain_entry_file(httpd_sys_script_t,httpd_sys_content_t)
  tunable_policy(`httpd_enable_cgi && httpd_unified',`
  	domtrans_pattern(httpd_suexec_t, httpdcontent, httpd_sys_script_t)
  ')
-@@ -638,6 +774,12 @@
+@@ -638,6 +773,12 @@
  	fs_exec_nfs_files(httpd_suexec_t)
  ')
  
@@ -11633,7 +11630,7 @@
  tunable_policy(`httpd_enable_homedirs && use_samba_home_dirs',`
  	fs_read_cifs_files(httpd_suexec_t)
  	fs_read_cifs_symlinks(httpd_suexec_t)
-@@ -655,10 +797,6 @@
+@@ -655,10 +796,6 @@
  	dontaudit httpd_suexec_t httpd_t:unix_stream_socket { read write };
  ')
  
@@ -11644,7 +11641,7 @@
  ########################################
  #
  # Apache system script local policy
-@@ -668,7 +806,8 @@
+@@ -668,7 +805,8 @@
  
  dontaudit httpd_sys_script_t httpd_config_t:dir search;
  
@@ -11654,7 +11651,7 @@
  
  allow httpd_sys_script_t squirrelmail_spool_t:dir list_dir_perms;
  read_files_pattern(httpd_sys_script_t,squirrelmail_spool_t,squirrelmail_spool_t)
-@@ -682,15 +821,45 @@
+@@ -682,15 +820,46 @@
  # Should we add a boolean?
  apache_domtrans_rotatelogs(httpd_sys_script_t)
  
@@ -11679,6 +11676,8 @@
 +	allow httpd_sys_script_t self:tcp_socket create_stream_socket_perms;
 +	allow httpd_sys_script_t self:udp_socket create_socket_perms;
 +
++	corenet_tcp_bind_all_nodes(httpd_sys_script_t)
++	corenet_udp_bind_all_nodes(httpd_sys_script_t)
 +	corenet_all_recvfrom_unlabeled(httpd_sys_script_t)
 +	corenet_all_recvfrom_netlabel(httpd_sys_script_t)
 +	corenet_tcp_sendrecv_all_if(httpd_sys_script_t)
@@ -11689,7 +11688,6 @@
 +	corenet_udp_sendrecv_all_ports(httpd_sys_script_t)
 +	corenet_tcp_connect_all_ports(httpd_sys_script_t)
 +	corenet_sendrecv_all_client_packets(httpd_sys_script_t)
-+	sysnet_dns_name_resolve(httpd_sys_script_t)
 +')
 +
 +
@@ -23239,7 +23237,7 @@
 +/var/spool/postfix/postgrey(/.*)?	gen_context(system_u:object_r:postgrey_spool_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/postgrey.if serefpolicy-3.3.1/policy/modules/services/postgrey.if
 --- nsaserefpolicy/policy/modules/services/postgrey.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/services/postgrey.if	2008-09-08 11:45:12.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/postgrey.if	2008-09-19 10:23:53.000000000 -0400
 @@ -12,10 +12,82 @@
  #
  interface(`postgrey_stream_connect',`
@@ -23249,8 +23247,9 @@
          ')
  
  	allow $1 postgrey_t:unix_stream_socket connectto;
-         allow $1 postgrey_var_run_t:sock_file write;
-+        allow $1 postgrey_spool_t:sock_file write;
+-        allow $1 postgrey_var_run_t:sock_file write;
++	write_sock_files_pattern($1, postgrey_var_run_t,  postgrey_var_run_t)
++	write_sock_files_pattern($1, postgrey_spool_t,  postgrey_spool_t)
  	files_search_pids($1)
  ')
 +
@@ -23764,7 +23763,7 @@
 +')
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/services/prelude.te serefpolicy-3.3.1/policy/modules/services/prelude.te
 --- nsaserefpolicy/policy/modules/services/prelude.te	1969-12-31 19:00:00.000000000 -0500
-+++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-09-19 09:41:26.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/services/prelude.te	2008-09-19 10:06:47.000000000 -0400
 @@ -0,0 +1,260 @@
 +
 +policy_module(prelude, 1.0.0)
@@ -23998,7 +23997,7 @@
 +')
 +
 +optional_policy(`
-+	apache_search_sys_content(httpd_lml_t)
++	apache_search_sys_content(prelude_lml_t)
 +	apache_read_log(prelude_lml_t)
 +')
 +
@@ -36006,7 +36005,7 @@
 +/etc/firestarter/firestarter\.sh gen_context(system_u:object_r:dhcpc_helper_exec_t,s0)
 diff --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/sysnetwork.if serefpolicy-3.3.1/policy/modules/system/sysnetwork.if
 --- nsaserefpolicy/policy/modules/system/sysnetwork.if	2008-06-12 23:38:01.000000000 -0400
-+++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if	2008-09-08 11:45:13.000000000 -0400
++++ serefpolicy-3.3.1/policy/modules/system/sysnetwork.if	2008-09-19 10:05:27.000000000 -0400
 @@ -145,6 +145,25 @@
  
  ########################################

More information about the fedora-extras-commits mailing list